Protection of Personal Information Act: Conditions for Lawful Processing of Personal Information

With the recent proclamation by the Presidency, the majority of the remaining sections of the much anticipated Protection of Personal Information Act 4 of 2013 ("POPIA") will come into effect on 1 July 2020, with a few more sections to come into operation on 30 June 2021.

POPIA aims to protect personal information processed by public and private bodies and seeks to balance the right to privacy against other protected rights, such as access to information. This is ground-breaking legislation in terms of the South African legal system, due to being the first piece of legislation to really deal with the protection of personal information and the vast amounts processed.

POPIA will regulate the processing of personal data and ensure that the personal information provided by data subjects will be protected and the use thereof highly restricted. This article will deal with the eight conditions of processing of information in terms of POPIA, however, it would be prudent to define what “processing” means in terms of the Act. “Processing” is defined in section 1 of POPIA as follows:

"Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

• the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
• dissemination by means of transmission, distribution or making available in any other form; or
• merging, linking, as well as restriction, degradation, erasure or destruction of information;"

The definition of processing as defined in POPIA is very wide, and it is arguable that processing may be any act or conduct relating to personal information.

POPIA contains eight conditions for the lawful processing of personal information:

1. The first condition is accountability. POPIA requires that the party responsible for the processing of the personal information has to ensure compliance with all conditions in POPIA. In the event of non-compliance, the information officer can be held responsible.
2. The second condition has four aspects to it being that the processing of information should be done lawfully, the personal information to be processed should be linked to a purpose, the information required should be minimal and only linked to the purpose, and there should be consent for the processing and/or justification as contained in section 11 of POPIA.
3. The third condition relates to the purpose-specification principle. This principle requires that the purpose for the collection of the personal information be specified before it is collected, that the data subject is informed of this purpose, and the information is not to be kept for longer than necessary in achieving the purpose of collecting the information.
4. The information collected and processed should be up to date, complete and accurate.
5. No personal information is to be further processed in a way that is incompatible with the purpose for which it was originally collected. Of course, there are exceptions to this, all contained in section 15(3) of POPIA.
6. The data controller should maintain documentation of its processing operations and supply the data subjects with certain information, such as who is collecting their information and the purpose of their information being collected.
7. The personal information is to be protected by the implementation of reasonable measures to ensure the integrity and confidentiality of personal information. This includes the identification of all reasonably foreseeable internal and external risks, appropriate safeguards against those risks, regular testing of the measures implemented, and to continually update the safeguarding measures.
8. Lastly, a data subject should have the right to access their personal information and to correct such information.

This article is by no means a complete explanation of POPIA and the importance thereof, but merely to assist information officers by pointing out the eight conditions set out in the Act that have to be met when processing information for the processing to meet the lawful standard in terms of POPIA. Information contained in this article must in no way be construed as legal advice.

This article was written and compiled by Jean-Roux van Huyssteen with the assistance of Phiwokuhle Ncanywa.